Cybersecurity in the Insurance Industry
Author: Charles Snyder
For those who work in or depend on the insurance industry, knowledge of potential threats, vulnerabilities and mitigation strategies associated with cybersecurity risks is an increasing priority. Cybersecurity risks affect payers, service providers, brokers, agents and, of course, consumers of different insurance products and services. The various insurance segments—health, life and property and casualty—have unique characteristics that determine how susceptible they are to cyberthreats.
Why has cybersecurity—the ability to protect networks, computers, programs and data from attack, damage or unauthorized access—become such a significant concern? And why should organizations and individuals in the insurance industry establish safeguards to help mitigate these threats? These are critical questions, especially in light of recent attacks and concerns raised by federal, state and local governments.
The media has recently reported a number of large data breaches, many of which significantly affect consumers, clients and commercial organizations. In late 2014, a sophisticated attack involving the seizure of Anthem system administrator credentials led to the possible exposure of more than 80 million records with protected health information (PHI). In September 2015, Excellus BlueCross BlueShield announced 10 million of its customers’ information had been exposed in a massive breach. Recent court orders allow the Federal Trade Commission (FTC) more leeway in pursuing lawsuits on behalf of impacted consumers.
In addition, the U.S. government, through the Department of Homeland Security (DHS) and National Institute of Standards and Technology (NIST), has recognized the threat of cyberattacks on critical U.S. infrastructure. The recognition of these threats has led to the development of standards, voluntary guidelines, updated regulations and expectations of improved industry cybersecurity.
Why are so many attackers attracted to insurance companies? Insurance is a data-driven industry that retains valuable data and information assets. These assets can include:
- Electronic PHI
- Other personal identifying information, such as Social Security numbers, birth dates and related beneficiary information
- Financial information, including credit card data covered by the Payment Card Industry standards
- Demographic and other secondary information, including names, addresses and phone numbers
The nature of insurance operations exposes these assets to additional vulnerabilities. Criminal organizations, nations and individuals can exploit inappropriate access to this information to support various criminal activities. One example is spear phishing—a social engineering attack where perpetrators masquerade as a trusted party to obtain important information such as passwords from the victim to use in blackmail and fraud. Health care data can be exploited to file fraudulent claims, support identity theft, target secondary attacks against consumers and businesses or blackmail patients who wish to keep certain conditions or treatments confidential. Direct financial data such as credit card numbers and banking accounts can be used to access consumers’ and organizations’ financial assets. Demographics, property location, property coverage values and supporting rider information could be used by criminal organizations to target customers for property crimes.
These data assets can become liabilities unless properly identified and protected. Certain characteristics of the modern insurance industry can introduce additional vulnerability. Consumers are demanding a full suite of digital experiences and capabilities, including online access to policies, claims and payment information. These expectations now have been extended to include continual access via mobile devices. In addition, insurance operations require fluid data sharing with multiple business associates and supporting organizations to process payments and claims.
DHS has identified health insurance as part of the Healthcare and Public Health critical sector as well as identifying property and casualty insurance as part of the Banking and Finance critical sectors. DHS has developed specific action plans for cybersecurity threats facing these sectors.
To provide state insurance regulators with additional guidance, the National Association of Insurance Commissioners published Principles for Effective Cybersecurity: Insurance Regulatory Guidance. Principle 4 of these guidelines recommends risk management efforts like those embodied in the NIST framework.
In February 2013, President Obama issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity. As a result of this executive order, NIST developed a voluntary Cybersecurity Framework for reducing cyber risks. The core of the NIST Cybersecurity Framework is based on the assessment of the organization’s current environment or state, projecting required future states and developing action plans for five essential cybersecurity functions:
To fully understand the cybersecurity risks facing an organization, NIST recommends using risk management tools such as risk assessment methodologies and mitigations efforts. For more information on cybersecurity and risk management issues, contact your BKD advisor.